Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Customising the CMS /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Customising Group permissions

Go to End

2 Posts   1009 Views


49 Posts

17 October 2012 at 5:21am

I'm looking for a way to show some groups to specific users through a modeladmin in the cms. The groups shown is based on a variable added to Group through an extension.

I've got some ideas to get it working but it all seems to fail due to row 406 in Group.php

if(Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin")) return true;

which, if I set that permission to the user group, grants the user access to Security-tab and ALL groups.

Is there any way around this without changing the code in Group.php?



49 Posts

18 October 2012 at 7:27am

Edited: 18/10/2012 7:27am

Ok, maybe I misunderstood how this should be working or maybe there is a bug here. It's not exactly about my post above, kind of find a way to work that out.

So, lets see if I got this right.
The canEdit() in Group.php is supposed to return false if current member don't have admin permissions and is trying to edit a group that has admin permissions, right? That if-statement reads

			// either we have an ADMIN
			(bool)Permission::checkMember($member, "ADMIN")
			|| (
				// or a privileged CMS user and a group without ADMIN permissions.
				// without this check, a user would be able to add himself to an administrators group
				// with just access to the "Security" admin interface
				Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && 
				!DataObject::get("Permission", "GroupID = $this->ID AND Code = 'ADMIN'")
		) {
			return true;

But this could never be true since DataObject::get() always return a DataList, right? So canEdit() on a group will always return false if currentMember don't have ADMIN permissions.

So that part maybe could be rewritten to

Permission::checkMember($member, "CMS_ACCESS_SecurityAdmin") && !Permission::get()->where("GroupID = $this->ID AND Code = 'ADMIN'")->First()

or something alike? Thoughts?